The video highlights the symptoms experienced on exploited phones; it doesn't show how to perform the attack. The attacking phone has been kept off screen. (It isn't difficult to find the CCC video at this point.)

The "Curse of Silence" was disclosed to several telecommunications operators about seven weeks ago and we were brought into the loop a few weeks later. The timing has been a real pain in the neck for those of us in the lab. We'd rather be researching something else or enjoying a relaxed holiday than dealing with a detection for an exploit that will mostly likely be used by jealous boyfriends.

Still, it is a safe bet that the Curse will be used to harass people, so support personnel should know what to look for.

A lot of Friendster users have been complaining about receiving lots of invitations to view a fake video from their contacts (who presumably would not usually send malicious content to their friends).

Here is an example of such an invite, from a known contact:

So how are the spammers getting access to the contacts lists?

Well, as we mentioned in our earlier post, a phishing site that mimics the real Friendster site steals the user's e-mail address and password information. Once the bad guys have that information, they can use it to access the account, and then use the account to start spamming malicious links to all contacts. Simple and effective, really. Users receiving these messages from a contact are more likely to disregard caution and click on it.

This particular link leads the user to the legitimate domain, files.myopera.com, and a file named video.gif. But wait — to check the contents of the file, try using view-source (in Firefox). As it turns out, users will be redirected to a malicious, fake video site.

Of course, the new site will prompt users to "update the video player" with a certain file in order to view the video.

The file the site would like you to download is cunningly named setup.exe, we detect it as net.worm.win32.koobface.dd — a worm that, incidentally, also spreads on social interaction websites.

As usual, beware of clicking any URL links, whether from a known or unknown sender. Don't forget to change your Friendster account password regularly to avoid abuse.

An easily reproducible SMS exploit was disclosed and demonstrated today at the 25th Chaos Communication Congress (25C3). The exploit is effective against a wide range of Symbian S60 smartphones and will effectively prohibit victims from receiving SMS messages.

The Chaos Communication Congress is a popular event among international "hacker" enthusiasts. It has been organized by the Chaos Computer Club since 1984, has been held in Berlin since 1998 and typically takes place between December 27th and 30th.

Today's Security Nightmares 2009 presentation included a demonstration of the Curse of Silence exploit, which was researched by Tobias Engel of the CCC.

According to Engel's research, the exploit affects the messaging components of Nokia Series 60 phone versions 2.6, 2.8, 3.0, and 3.1. Our own tests determined that Sony Ericsson UiQ devices are vulnerable as well.

According to Engel's research, the vulnerable phones fall into two camps: S60 versions 2.6/3.0 (2FP2/3) and versions 2.8/3.1 (2FP3/3FP1). That's still too many numbers, so let's just select two phones.

The vulnerability is very simple to exploit via an SMS message. No special software is required and the message can be drafted from a large number of phones. The message just needs to be formatted in a particular way. (We will not provide exact details here.)

What happens when a vulnerable phone receives the exploit message?

Example 1 — on the older 6680 nothing happens. Nothing at all… The first exploit message is enough to crash the SMS messaging service. It is a completely silent attack and there are no hints of trouble presented to the victim. The phone will simply stop receiving SMS (as well as MMS) messages.

Example 2 — on the newer N95, nothing will happen until several messages have been sent by the attacker. Then, once the critical limit has been reached, the phone will prompt an alert: "Not enough memory to receive message(s). Delete some data first."

The attack messages will not be visible from the Inbox, and deleting previously received messages will not resolve the problem.

There will also be one additional notification on the N95. A blinking envelope, indicating that the Inbox is full, appears in the upper right-hand corner of the display.

Turning the N95 off and on again may return some limited functionality, but that functionality is very fragile. One multi-part message was enough to completely disable our test phone's SMS/MMS service, at which point even cycling the power did not help.

Exploited phones will remain otherwise completely functional; only the SMS/MMS messaging is affected. Practically speaking, this also means no SMS notifications of voicemail, though the phone log will display the missed call.

A firmware fix is not yet available. Performing a hard-reset is the only manual solution. And backing up the phone also backs up the exploit messages and the damaged messaging service.

Shameless self-promotion begins:

However — Engel practiced reasonable disclosure, which is why we have had time to test the exploit ourselves before today's CCC demonstration. Our Mobile Security solution will detect the exploit and can repair affected phones.

The exploit is detected as Exploit:SymbOS/SMSCurse and Mobile Security is capable of repairing exploited phones so that it will not lose any messages. Messages that have been sent while the messaging service is jammed will of course be lost.

Hopefully this exploit will not be widely used. We don't see much of a profit motive after all. Still, there were thousands of participants at this year's CCC and many of them saw the demonstration. As easy as it is to utilize the Curse of Silence, someone will surely try this for harassment…

A free seven day trial of Mobile Security can be directly download to phones from here.

We will have a video demonstration available soon.Update: Info on the video is here.

Our File Analysis Team — they collect non-malicious files — came across an interesting case yesterday. Dzul Aiman was researching available driver downloads from Acer's Taiwanese (.tw) site and discovered something out of place. Maybe the site was hacked?

The list for WindowsXP Desktop drivers…

…included "nc.exe". That's a bit suspicious, don't you think?

That's probably a "driver" that you don't want to download. (Though it was probably Net Cat, it still shouldn't be there… it's not a trusted source.)

The team e-mailed Acer and the issue seems to have been resolved promptly.

So, even those that aren't looking for trouble may still find it. Stay vigilant.

There are some new developments on the mobile security front. Spy tool applications are now available for Apple's iPhone. Symbian and Windows Mobile spy tools have been around from two and a half to almost three years.

Now it would seem that it's finally the iPhone's turn.

One of the two spy vendors appears to require a jailbroken iPhone. They also claim to be the "first and only" spy software. If only that were true. Their application can be installed on 3G model iPhones.

…and on December 21st, a second option will be available. This vendor's comparison chart claims quality and features over costs.

Note that their application lets you "secertely" spy.

It doesn't seem entirely sure based their promotional promises, but it appears that vendor number two may be able to jailbreak, install, and then un-jailbreak the iPhone during its installation. It can be installed on older iPhones as well as current.

We wonder what Apple's position on this will be; will they do anything about it? What do you think?

We won't bother providing these spy vendors with a backlink to our weblog, so if you want to see more, use the addresses in the image below.

A quick update to our earlier post about the recent critical vulnerability (MS08-078) in all available versions of Internet Explorer — Microsoft has released an update patch for the vulnerability. More information, including the patch, can be found here.

There have been a number of reports citing thousands of websites (both intentionally malicious and legitimate but compromised) exploiting this vulnerability. You can read more at BBC News and The Register.

Everyone is strongly encouraged to download and apply the patch without delay.

Exploit Shield protects against exploits both responsively and proactively. It has both shields and generic heuristics that monitor for and block suspected malicious activity. It logs attack attempts; and will also report suspicious URLs to our Real-time Protection Network1. New shields are delivered via our automatic update channel servers.

Vulnerability Shields offer "Patch-equivalent protection". Our Vulnerability Analysts, primarily based in Kuala Lumpur, publish vulnerability advisories and detections (used by our Health Check2 service). The Vulnerability team then uses the analysis to create exploit shields. The shields utilize either a hotpatch or else will disable the vulnerable ActiveX plugin.

This is what shield details look like:

The Proactive Measures currently block suspected malicious activity in Internet Explorer and Mozilla Firefox. This component of the beta monitors for heuristic behavioral techniques common to many types of exploits. We've tested the proactive component against a couple of malicious sites targetingthe vulnerability, and the attacks have been successfully blocked.

As noted above, Exploit Shield has the option to report malicious websites that are blocked.

What do we do with the reported URL? The Response Lab will use it to respond faster. We have "HoneyMonkey" like systems to collect the exploit samples. Thus we'll have a greater ability to collection exploits and add signature detections to protect all of our customers. Exploit Shield users will help contribute to everyone's protection while remaining protected.

Our Vulnerability Response team has been working very hard during the last few days to make this beta release ready at this time. Remember, it's still in beta, and you can help them by testing and by providing feedback. A big thank you is due to all those involved.

We spotted this fake Friendster website at http://friend[...]ter.com. The website steals the e-mail address and password information entered by an unsuspecting visitor who arrives at this page thinking it's the actual Friendster site.

Links to the fake website are propagating through malicious comments sent from the compromised accounts of friends in the Friendster network. The links are also included in the infected friend's profile.

Interestingly, on further analysis, the domain http://friend[...]ter.com also pointed to a fake Facebook page as its main page!

This fake domain was registered recently in China, and is hosted in China as well. We traced the IP address and noticed that it was hosting quite a few other fake social networking websites — MySpace, Friendster, Facebook, et cetera.

The AVAR 2008 conference is in full swing in New Delhi. Almost all antivirus companies are represented in this global conference.

Recent terror attacks in India were fresh in memory and indeed the conference was started with one minute of silence to honor the victims.

The terror attacks had an indirect toll on the conference as well, as seven speakers had canceled their trips. The organizers were happy to get replacement talks from the brave Peter Szor (Symantec), Andrew Lee (K7) and Randy Abrams (ESET).

My keynote presentation covered the initiative for "Internetpol" — the need to get better global IT law enforcement in action to really focus on getting online criminals behind the bars.

Photo by Luis Corrons / Panda Security

Other notable presentations included "Exploiting anti-virtualization techniques" by Andrew Lee. Many viruses won't execute if they detect the presence of a virtual machine. Andrew was using this feature against the malware itself by installing a fake VM on a real machine. As an end result, many types of malware wouldn't run at all. Neat.

Eugene Kaspersky also did an excellent overview of the worsening situation. He highlighted how criminals are using business models except here, instead of B2B (business-to-business) we're now seeing C2C (criminal-to-criminal) models.

And Vincent Weafer from Symantec presented their latest research into underground IRC networks and how large scale this is. Over a year, they monitored over 60,000 distinct advertisers on these boards, selling malware, botnets and stolen information.

Another interesting presentation was by Swanand Dattaram Shinde from India's Quick Heal. He spoke about how the local terrorist groups use the Internet for communication, recruiting and propaganda, and even to make online threats. No cases of real cyber-terrorism though.

And here's something you don't see everyday. All electricity got shut down twice during the second day of the conference. Andrew Lee was on stage and he did not miss a beat. He simply raised volume and carried on…

As Christine mentioned earlier today in her post regarding Koobface and how it uses fake Flash players to trick people into downloading malware, a smart move is to only download Adobe Flash player from… Adobe!

Here's another example of a social engineering scam, this time using a new Bank of America online banking system.

Clicking on the link leads to a fake BoA page with a "video" showing what the new site looks like. To view you have to download the updated Flash player.

If you run the fake Flash player it downloads another file from premierinet.com which in turn is a trojan that hides itself with a rootkit, steals confidential information and posts it to a server in Ukraine.

Again, we recommend that you only download Adobe Flash Player from Adobe's website here.

Bank of America – Always Free Customer Service Demo Account, Try for FREEBank of America – learn how to trade with the Demo Dealer Station belowBank of America – We Give You The Tools You Need. Try A Free Demo Account!Bank of America – New Demo Account, Try for FREEBank of America – Demo Account Set UpBank of America – Demo accountBank of America – Open A Demo AccountBank of America – your Demo Account username and passcodes will be generated and emailed to you.Bank of America – DEMO ACCOUNT not working

There's nothing like social networking sites to keep people connected and worms propagating — such as the all new and improved Net-Worm:W32/Koobface.CZ. A little infection equals a little comment in someone's little site somewhere.

It also has its own site, where it can query for more data, updates and of course the comments that it posts to the targeted websites. The site hosts plenty of comments (and of course the corresponding links) for the worm to use. Here are some of them:

– COMMENT: Are you sure this is your first acting experience? – LINK: http://finditand .com/go/be.php?0e9c60ch=d41d8cd98f00b204e9800998ecf8427e

There has been a lot of talk (link 1, link 2, link 3) during the last few days about a support article that seemingly appeared on Apple's website. In the article, Apple advised users to install an anti-virus software to make sure their computers are safe. The reason it took people by surprise is that Apple has previously said that Mac users doesn't have to worry about antivirus software.

Turns out the support article was from 2007 and now has been pulled from Apple's site. Apple also issued a statement saying that the article was outdated and that Macs really don't need antivirus because they are so secure. Quoting a spokesperson from Apple:

"The Mac is designed with built-in technologies that provide protection against malicious software and security threats, right out of the box."

That's just silly.

While there is much less malware out there for Macs, they definitely exist, and Mac users are as likely to fall victim for traditional email based phishing attacks as PC users. Not to mention all the security vulnerabilities that Apple has fixed this year that fortunately weren't exploited but easily could have been.

The fact is that yes, Mac users are much less likely to get hit by malware but that doesn't mean that they can be totally careless and ignore potential threats all together. Use common sense and if they want to be extra safe, do install an antivirus software.

"How many photos do you have on your computer? Documents? E-mail messages, letters, and receipts of your online purchases? What happens to your files if — when — your hard drive fails?"

We currently have an active beta piloting program for F-Secure Online Backup 1.1 and would like you to try it out. However, act quickly — as we have only a limited number of beta licenses to give. For more information and to join this project, please click here.

Update: Due to an overwhelming interest, all of the beta licenses reserved for this project have been taken. Thank you to those interested in participating.